Closed rgruyters closed 2 years ago
Super weird! This looks like it was fixed here: https://github.com/hashicorp/consul-template/pull/1591
Before I transfer you over to the consul-template project, could you share what version of that you are using?
I'm not using consul-template, but Vault Agent. Version of Vault (both server and Agent) are running 1.11.2.
Howdy @rgruyters! I'm able to reproduce this issue as you describe. It is likely either an issue in consul-template (which Vault agent uses for templating,) or an issue with our documentation.
In the meantime, could you verify that removing the .Data
prefix from the template items produces the expected output? With any luck that'll get you unstuck while we investigate the root cause.
e.g.
{{ with pkiCert "pki/issue/test-example-org" "ttl=1h" "common_name=foo.test.example.org" -}}
{{ .Cert }}
{{ .Key }}
{{ .CA }}
{{ end -}}
I have tested it and works as aspected, but I noticed a different issue when I
use writeToFile
and add a second template stanza, it only writes the
certificate file for the second template.
templates without writeToFile
:
{{ with pkiCert "pki/issue/test-example-org" "ttl=1h" "common_name=test.test.example.org" -}}
{{ .Cert }}
{{ .Key }}
{{ .CA }}
{{ end -}}
{{ with pkiCert "pki/issue/test-example-org" "ttl=1h" "common_name=foo.test.example.org" -}}
{{ .Cert }}
{{ .Key }}
{{ .CA }}
{{ end -}}
Start Vault Agent with single template stanza.
template {
source = "./test_cert.ctmpl"
destination = "./test.pem"
perms = "0644"
command = ""
command_timeout = "30s"
}
grep -e BEGIN -e END *.pem
test.pem:-----BEGIN CERTIFICATE-----
test.pem:-----END CERTIFICATE-----
test.pem:-----BEGIN RSA PRIVATE KEY-----
test.pem:-----END RSA PRIVATE KEY-----
test.pem:-----BEGIN CERTIFICATE-----
test.pem:-----END CERTIFICATE-----
Add second template stanza and restart Vault agent.
template {
source = "./foo_cert.ctmpl"
destination = "./foo.pem"
perms = "0644"
command = ""
command_timeout = "30s"
}
grep -e BEGIN -e END *.pem
foo.pem:-----BEGIN CERTIFICATE-----
foo.pem:-----END CERTIFICATE-----
foo.pem:-----BEGIN RSA PRIVATE KEY-----
foo.pem:-----END RSA PRIVATE KEY-----
foo.pem:-----BEGIN CERTIFICATE-----
foo.pem:-----END CERTIFICATE-----
test.pem:-----BEGIN CERTIFICATE-----
test.pem:-----END CERTIFICATE-----
test.pem:-----BEGIN RSA PRIVATE KEY-----
test.pem:-----END RSA PRIVATE KEY-----
test.pem:-----BEGIN CERTIFICATE-----
test.pem:-----END CERTIFICATE-----
I have cleared everything and updated the templates with writeToFile
.
{{ with pkiCert "pki/issue/test-example-org" "ttl=1h" "common_name=test.test.example.org" -}}
{{ .Cert }}
{{ if .Key -}}
{{ .Key | writeToFile "./test.key" "root" "root" "0640" -}}
{{ end -}}
{{ end -}}
{{ with pkiCert "pki/issue/test-example-org" "ttl=1h" "common_name=foo.test.example.org" -}}
{{ .Cert }}
{{ if .Key -}}
{{ .Key | writeToFile "./foo.key" "root" "root" "0640" -}}
{{ end -}}
{{ end -}}
Removed the second template stanza and restart the Agent again.
grep -e BEGIN -e END *.{pem,key}
test.pem:-----BEGIN CERTIFICATE-----
test.pem:-----END CERTIFICATE-----
test.key:-----BEGIN RSA PRIVATE KEY-----
test.key:-----END RSA PRIVATE KEY-----
Added second template to the Vault Agent config and restart the Agent.
grep -e BEGIN -e END *.{pem,key}
foo.pem:-----BEGIN CERTIFICATE-----
foo.pem:-----END CERTIFICATE-----
test.pem:-----BEGIN CERTIFICATE-----
test.pem:-----END CERTIFICATE-----
test.key:-----BEGIN RSA PRIVATE KEY-----
test.key:-----END RSA PRIVATE KEY-----
I have tried to remove the if statement but it just writes an empty file.
We pulled in an updated version of consul-template with #16764 and #16775 that should fix both of these reported issues. Thanks for the reports @rgruyters!
Describe the bug A clear and concise description of what the bug is.
When using pkiCert for Vault Agent templates the certificate is generated, but not the keys nor CA.
To Reproduce Steps to reproduce the behavior:
test_cert.ctmpl
test_cert.ctmpl
Validating the certificate:
Expected behavior A clear and concise description of what you expected to happen.
Expected output:
Environment:
Vault Server Version (retrieve with
vault status
):Vault CLI Version (retrieve with
vault version
):Vault v1.11.2 (3a8aa12eba357ed2de3192b15c99c717afdeb2b5), built 2022-07-29T09:48:47Z
Server Operating System/Architecture:
Vault Server: Ubuntu 20.04 Vault Agents: Ubuntu 18.04 and Ubuntu 20.04
Vault server configuration file(s):
Additional context Add any other context about the problem here.